From e03a385dd2576f43bb8880c013242e016373a4f6 Mon Sep 17 00:00:00 2001 From: Jakob Diebold Date: Tue, 7 May 2024 16:42:00 +0200 Subject: [PATCH] feat: add flag to enable ipv6 egress rule --- variables.tf | 6 ++++++ vpc.tf | 34 ++++++++++++++++++++++++++++------ 2 files changed, 34 insertions(+), 6 deletions(-) diff --git a/variables.tf b/variables.tf index 088a9ee..fdcf57f 100644 --- a/variables.tf +++ b/variables.tf @@ -98,6 +98,12 @@ variable "additional_associated_security_group_ids" { default = [] } +variable "enable_ipv6_in_security_group" { + description = "Enable IPv6 in the security group" + type = bool + default = false +} + # iam variable "additional_execution_role_policy_document_json" { description = "Additional permissions to attach to the base mwaa execution role" diff --git a/vpc.tf b/vpc.tf index 9728ceb..cad4931 100644 --- a/vpc.tf +++ b/vpc.tf @@ -98,12 +98,6 @@ resource "aws_security_group" "this" { tags = merge({ Name = "mwaa-${var.environment_name}-no-ingress-sg" }, var.tags ) - ingress { - from_port = 0 - to_port = 0 - protocol = "-1" - self = true - } egress { from_port = 0 to_port = 0 @@ -113,3 +107,31 @@ resource "aws_security_group" "this" { ] } } + +resource "aws_security_group_rule" "ingress_from_self" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.this.id + to_port = 0 + type = "ingress" + self = true +} + +resource "aws_security_group_rule" "egress_all_ipv4" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.this.id + to_port = 0 + type = "egress" + cidr_blocks = ["0.0.0.0/0"] +} + +resource "aws_security_group_rule" "egress_all_ipv6" { + count = var.enable_ipv6_in_security_group ? 1 : 0 + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.this.id + to_port = 0 + type = "egress" + ipv6_cidr_blocks = ["::/0"] +}